Organisations sometimes paint all of their employees with the same brush when it comes to cybersecurity - after all, isn’t everyone at risk of causing a breach? 

But as a matter of fact, many employees are real security pros: they rarely fall for phishing scams. For those users, most awareness controls will not reduce the already low cyber risk for the organisation. But on the other end of the spectrum are users that the CISO has nightmares about: Users who click on every single link and who seem to repel any form of policy or training. 

This report is based on 15m unique events associated with 168k users and spread across more than 3.8k departments. 

So what constitutes a “high-risk user”?

  • Most users pose a low cybersecurity risk - almost 80% of users receiving 10 or more phishing emails never click.
  • Around 20% of users receiving 10 or more phishing emails click at least once. 
  • However, a small minority of all users (0.8%) click more than 80% of phishing emails!
  • Only 3% of users are responsible for 92% of malware events – 1% will average an incident every other week.

A useful definition of a high-risk user is those in the 75th percentile or above. The number of high-risk users depends on each specific organisation, but according to their data, it is typically around 12

Users who click links in phishing emails

Source: Elevate Security / Cyentia “The Size And Shape Of Workforce Risk”

What departments are high-risk users hiding in?

  • The top departments where high-risk users work are customer service (22%), R&D (18.5%), data analysis (16.5%), and creative (13.7%).
  • Perhaps unexpectedly, IT isn’t a particularly low-risk department, with about 10% of employees considered high-risk.
In which departments are high-risk users?

Source: Elevate Security / Cyentia, “High-Risk Users and Where to Find Them“

Who is worse? The CEO, the middle manager, or the front-line employee?

  • The data suggests that middle management has the highest rate of high-risk users.
Risk by Position in Org Chart

Source: Elevate Security / Cyentia, “High-Risk Users and Where to Find Them“

Why does this matter for businesses?

To mitigate risk among their employees, organisations typically favour an indiscriminate, blanket approach. But high-risk users aren’t evenly distributed. Businesses need to uncover which users pose the biggest risks and employ a differentiated set of controls for them.


Read the report